Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating IPS Policy Rules

Before You Begin

Use this page to create intrusion prevention system (IPS) rules that define actions to be taken when the matching traffic pattern is found. You can add, edit, or delete rules to an IPS policy.

You can use the predefined IPS templates while creating an IPS policy. These templates contain rules that use default actions associated with attack objects. You can customize these templates to work on your network by selecting your own source and destination addresses and choosing IPS actions that reflect your security needs.

IPS rules protect your network from attacks by using attack objects to detect known and unknown attacks based on stateful signature and protocol anomalies. IPS exempt rules prevent unnecessary alarms from being generated.

To configure an IPS policy rule:

  1. Select Configure > IPS Policy > Policies > or Templates.
  2. Click the Add Rules link in the created policy.
  3. Click Create and then select IPS Rule or Exempt Rule.
  4. Complete the configuration according to the guidelines provided in Table 1 and Table 2.
  5. Click Publish.

A new IPS rule with your configuration is created. You can use this rule in an IPS policy or an IPS policy template.

Table 1: IPS Policy Rule Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters.

IPS Type

Display the rule of the specified type. For example, IPS, Exempt.

Src. Zone

Click the Source Zone field and configure the source zone editor settings.

Source Zone Editor

Zone

Select any zone for the source. You can also use zone exceptions to specify unique to zones for each device. Specify any to monitor network traffic originating from any zone. The default value is any.

Src. Address

Click the Source Address field and configure the source address settings.

Source Address

Address Selection

Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects.

Addresses

Select one or more available IP addresses from the Available column to include in the selected list for the rule.

Add New Source Address

Click the button to add a new source address.

Dest. Zone

Click the Destination Zone field and configure the destination zone editor settings.

Destination Zone Editor

Zone

Select any zone for the destination. You can also use zone exceptions to specify unique from zones for each device. Specify any to monitor network traffic to any zone. The default value is any.

Dest. Address

Click the Destination Address field and configure the destination address settings.

Destination Address

Address Selection

Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects.

Addresses

Select one or more available IP addresses from the Available column to include in the selected list for the policy rule.

Add New Destination Address

Click the button to add a new destination address.

Service

Click the Service field and configure the service editor settings.

Service Editor

Services

Select an available services for the policy rule. For example:

  • ftp—FTP allows the sending and receiving of files between machines.

  • ssh—SSH is a program to log into another computer over a network through strong authentication and secure communications on a channel that is not secure.

  • Web—Policy allows access to users who have previously been authenticated by Web authentication.

  • User Firewall—Uses the username and role information to determine whether to permit or deny a user's session or traffic.

  • Infranet—Pushes the user and role information for all authenticated users from the Access Control Service.

The default value is Default.A service in Security Director refers to an application on a device, such as Domain Name System (DNS). Services are based on protocols and ports and when added to a policy can be applied across all devices managed by Security Director.

Add New Service

Click the button to add a new service.

IPS Signature

Click the IPS Signature field and configure the IPS signature settings.

IPS Signature

IPS Signatures

Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule.

Add New IPS Signature

Click the button to add a new IPS signature.

Action

Click the Action field and configure the action settings.

Action

Action

Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:

  • No Action—Does not take action. Use this action when you only want to generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Note:

    This action does not mean ignore an attack.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source IP address.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Close Client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server but not to the client.

  • Close Client and Server—Closes the connection and sends an RST packet to both the client and the server.

  • Recommended—Gives a list of all attack objects that Juniper Networks considers to be serious threats, organized into categories. For example, severity groups attack objects by the severity assigned to the attack.

  • Diffserv Marking—Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally.

    When you select Diffserv Marking, you need to enter code value.

    • Code Point for Diffserv Marking—Enter a code point value. Based on the DSCP value, behavior aggregate classifiers set the forwarding class and loss priority for the traffic deciding the forwarding treatment the traffic receives.

Note:

The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets.

Notification Opt.

Click the Notification field and configure the notification settings.

Notification Opt.

Attack Logging

Enable this option to log attacks.

Alert Flag

Enable this option to add an alert flag to an attack log.

Log Packets

Enable this option to log packet capture when a rule matches.

Packets Before

Enter the number of packets processed before the attack is captured.

Packets After

Enter the number of packets processed after the attack is captured.

Post Window Timeout

Enter the time limit for capturing post-attack packets for a session.

No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds.

IP Action Opt.

Click the IP Action field and configure the IP action settings.

IP Action Opt.

IP Action

Select an option to apply actions on future connections that use the same IP action attributes:

  • None—Does not take any action against future traffic.

  • IP Notify—Does not take any action against future traffic but logs the event. This is the default.

  • IP Close—Closes any new sessions matching this IP action rule by sending RST packets to the client and server.

  • IP Block—All packets of any session matching the IP action rule are dropped silently.

    When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Close Session action, the next in severity is the Drop/Block Session action, and then the Notify action.

IP Target

Select an option to block future connections:

  • None—Does not match any traffic.

  • Destination Address—Matches traffic based on the destination address of the attack traffic.

  • Service—For TCP and UDP, matches traffic based on the source address, source port, destination address, and destination port of the attack traffic. This is the default.

  • Source Address—Matches traffic based on the source address of the attack traffic.

  • Source Zone—Matches traffic based on the source zone of the attack traffic.

  • Source Zone Address—Matches traffic based on the source zone and source address of the attack traffic.

  • Zone Service—Matches traffic based on the source zone, destination address, destination port, and protocol of the attack traffic.

Refresh Timeout

Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter.

Timeout Value

Enter the number of seconds that you want the IP action to remain in effect after a traffic match.

Default value is 0 seconds and the range is from 0 through 64,800 seconds.

Log Taken

Enable this option to log information about the IP action against the traffic that matches a rule.

Log Creation

Enable this option to generate a log event on the IP action filter.

Additional Opt.

Click the Additional field and configure the additional settings.

Additional Opt.

Severity

Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched.

Description

Enter a description for the IPS policy rule; maximum length is 4096 characters.

Table 2: IPS Policy Templates Rule Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

IPS Type

Display the rule of the specified type. For example, IPS, Exempt.

IPS Signature

Click the IPS Signature field and configure the IPS signature settings.

IPS Signature

IPS Signatures

Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule.

Add New IPS Signature

Click the button to add a new IPS signature.

Action

Click the Action field and configure the action settings.

Action

Action

Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:

  • No Action—Does not take action. Use this action when you only want to generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Note:

    This action does not mean ignore an attack.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source IP address.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Close Client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server but not to the client.

  • Close Client and Server—Closes the connection and sends an RST packet to both the client and the server.

  • Recommended—Gives a list of all attack objects that Juniper Networks considers to be serious threats, organized into categories. For example, severity groups attack objects by the severity assigned to the attack.

  • Diffserv Marking—Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally.

    When you select Diffserv Marking, you need to enter code value.

    • Code Point for Diffserv Marking—Enter a code point value. Based on the DSCP value, behavior aggregate classifiers set the forwarding class and loss priority for the traffic deciding the forwarding treatment the traffic receives.

Note:

The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets.

Notification Opt.

Click the Notification field and configure the notification settings.

Notification Opt.

Attack Logging

Enable this option to log attacks.

Alert Flag

Enable this option to add an alert flag to an attack log.

Log Packets

Enable this option to log packet capture when a rule matches.

Packets Before

Enter the number of packets processed before the attack is captured.

Packets After

Enter the number of packets processed after the attack is captured.

Post Window Timeout

Enter the time limit for capturing post-attack packets for a session.

No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds.

IP Action Opt.

Click the IP Action field and configure the IP action settings.

IP Action Opt.

IP Action

Select an option to apply actions on future connections that use the same IP action attributes:

  • None—Does not take any action against future traffic.

  • IP Notify—Does not take any action against future traffic but logs the event. This is the default.

  • IP Close—Closes any new sessions matching this IP action rule by sending RST packets to the client and server.

  • IP Block—All packets of any session matching the IP action rule are dropped silently.

    When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Close Session action, the next in severity is the Drop/Block Session action, and then the Notify action.

IP Target

Select an option to block future connections:

  • None—Does not match any traffic.

  • Destination Address—Matches traffic based on the destination address of the attack traffic.

  • Service—For TCP and UDP, matches traffic based on the source address, source port, destination address, and destination port of the attack traffic. This is the default.

  • Source Address—Matches traffic based on the source address of the attack traffic.

  • Source Zone—Matches traffic based on the source zone of the attack traffic.

  • Source Zone Address—Matches traffic based on the source zone and source address of the attack traffic.

  • Zone Service—Matches traffic based on the source zone, destination address, destination port, and protocol of the attack traffic.

Refresh Timeout

Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter.

Timeout Value

Enter the number of seconds that you want the IP action to remain in effect after a traffic match.

Default value is 0 seconds and the range is from 0 through 64,800 seconds.

Log Taken

Enable this option to log information about the IP action against the traffic that matches a rule.

Log Creation

Enable this option to generate a log event on the IP action filter.

Additional Opt.

Click the Additional field and configure the additional settings.

Additional Opt.

Severity

Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched.

Description

Enter a description for the IPS policy rule; maximum length is 1024 characters.